Authentication using analog signal challenge

ABSTRACT

Determining authenticity of a component in an imaging device includes generating an analog signal as an authentication challenge to the component. The component then generates a response to the authentication challenge by converting the analog signal into one or more digital values and capturing a derivative of the one or more digital values as the response. Authenticity of the component is determined by comparing the response with an expected response.

CROSS REFERENCES TO RELATED APPLICATIONS

This application claims priority as a continuation application of U.S.patent application Ser. No. 17/740,476, filed May 10, 2022, having thesame title.

FIELD OF THE INVENTION

The present disclosure relates generally to authentication schemes, andmore particularly to authentication of security devices using an analogsignal as an authentication challenge. Particular embodiments includemethods of generating analog signal challenges and generating responsesto the analog signal challenges for authenticating security devices inan imaging device.

BACKGROUND

In some imaging devices, supply items such as ink and toner cartridgesare replaceable due to depletion of the consumable therein. In othersupply items, such as imaging units and fusers, they are replaceable dueto wear out of the physical mechanism. It is common to place securitydevices or integrated circuits with encryption and authenticationcircuits, based on digital technology, on supply items and connect thesesecurity devices with a controller in the printer. The controllerusually contains a system-on-chip (SoC) and non-volatile memory (NVM)from which it executes firmware to direct the authentication of securitydevices on supply items to verify whether the supply items are genuineand authentic.

In some cases, another instance of the same security device (which maybe referred to as a system security device) is also placed on thecontroller to reduce the likelihood of tampering during theauthentication of security devices on supply items. In such anarrangement, the controller may verify the authenticity of the supplyitem by generating a cryptographic challenge, either directly from theSoC or through the system security device and sending the challenge tothe security device on the supply item which, in turn, generates aresponse and returns the response to the controller. If the controllerverifies that the security device on the supply item responds correctlyto the challenge, the supply item is determined to be authentic.Otherwise, if the security device on the supply item respondsincorrectly, the supply item is determined to be non-authentic and anenforcement action may be initiated. The enforcement action may consistof no notification to the user, notification to the user that anon-authentic supply item is installed or notification to the user thatan unsupported supply item is installed.

One of the difficulties in developing security devices constructed withdigital integrated circuit technology (e.g., NAND, NOR, INV, FLIP-FLOP,etc. standard logic gates), is that they are susceptible to beingreverse engineered by an attacker copying the security device using chipdelayering and imaging techniques to extract a logic netlist and memorycontents. If a security device is reverse engineered and copied, anon-authentic device may be developed that produces the same digitalbehavior as the authentic device making it challenging to distinguish anon-authentic device from an authentic device. As a result, it isdesirable to develop new methods of authenticating security devices onsupply items beyond those digital methods known in the art.

The authentication system disclosed in U.S. patent application Ser. No.17/469,601 entitled “Authentication Using Current Drawn by SecurityDevice” introduced the use of current drawn by a security device inresponse to an execution of a command or a series of commands as anauthentication parameter. Because the current drawn by the securitydevice is expected to be a unique physical attribute of the securitydevice, the current drawn may be used in whole or in part to determineauthenticity of the security device. Specifically, a current monitorcircuit was used to convert the current drawn by the security deviceinto an analog voltage when a trigger condition was detected. The analogvoltage was then converted into a digital value by an analog-to-digitalconverter (ADC). The digital value was captured for a finite durationand stored in memory as the captured current profile. The capturedcurrent profile was then compared with the expected current profile(which was predetermined and stored in memory or dynamically generatedor computed) and a determination was made of the authenticity of thesecurity device on the supply item. The inventors recognize a need toprovide additional methods for authentication of security devices onsupply items.

SUMMARY

The foregoing and other are solved by using analog signals suitable forauthentication of security devices on supply items. In one embodiment, amethod is disclosed for determining authenticity of a component in animaging device. The method includes generating an analog signal as anauthentication challenge to the component. The component generates aresponse by converting the analog signal into one or more digital valuesand capturing a derivative of the one or more digital values as theresponse. The response is compared with an expected response todetermine authenticity of the component. Authentication may be one-wayauthentication where a component authenticates another component, mutualauthentication where two components authenticate each other, orself-authentication where a component authenticates itself. In oneaspect, a component is a controller of the imaging device or a tonercartridge of the imaging device.

In another embodiment, a method is disclosed for generating anauthentication challenge to a component of an imaging device fordetermining authenticity of the component. The method includesgenerating one or more random numbers and identifying one or moreparameters stored in memory based on the one or more random numbers. Ananalog circuit is used to generate a random analog signal based on theone or more parameters and the random analog signal is used as theauthentication challenge to the component.

In another embodiment, a method is disclosed for generating a responseto an authentication challenge for determining authenticity of acomponent in an imaging device. The method includes receiving, by thecomponent, an analog signal as the authentication challenge. The analogsignal is converted into one or more digital values and a derivative ofthe one or more digital values is captured as the response to theauthentication challenge.

In another embodiment, a security device for use on a supply item isdisclosed. In one embodiment, the security device includes a firstanalog circuit for generating an authentication challenge when thesecurity device receives a command to generate the authenticationchallenge. The first analog circuit generates the authenticationchallenge by converting one or more digital values into an analog signaland using the analog signal as the authentication challenge. Thesecurity device also includes a second analog circuit for generating aresponse to an analog signal authentication challenge when the securitydevice is being authenticated using the analog signal authenticationchallenge. The second analog circuit generates the response byconverting the analog signal authentication challenge into one or moredigital values and capturing a derivative of the one or more digitalvalues as the response.

BRIEF DESCRIPTION OF THE DRAWINGS:

FIG. 1 illustrates an imaging system according to one exampleembodiment;

FIG. 2 is a block diagram of a shared bus system illustratingcommunication between a controller and a plurality of supply itemsaccording to one example embodiment;

FIG. 3 shows an analog signal including a DC ramp used an exampleauthentication challenge;

FIG. 4 shows an analog signal including an AC ramp used as an exampleauthentication challenge;

FIG. 5 shows an example converted signal by an authentic security devicein response to the analog signal authentication challenge shown in FIG.3 ;

FIG. 6 shows an example converted signal by an authentic security devicein response to the analog signal authentication challenge shown in FIG.4 ;

FIG. 7 shows an example converted signal by a non-authentic securitydevice in response to the analog signal authentication challenge shownin FIG. 3 ;

FIG. 8 shows an example converted signal by a non-authentic securitydevice in response to the analog signal authentication challenge shownin FIG. 4 ;

FIG. 9 is a flowchart illustrating a method of one-way authenticationwhere a security device on the controller authenticates a securitydevice on a supply item, according to one example embodiment;

FIG. 10 is a flowchart illustrating a method of one-way authenticationwhere a security device on a supply item authenticates a security deviceon the controller, according to one example embodiment;

FIG. 11 is a flowchart illustrating a method of self-authenticationwhere a security device on a supply item authenticates itself, accordingto one example embodiment;

FIG. 12 is a block diagram of an example embodiment where anauthentication challenge is sent from a first security device to asecond security device over a DAC-ADC interface and a response sent fromthe second security device to the first security device over a serialinterface;

FIG. 13 is a block diagram of an example embodiment where anauthentication challenge is sent from a first security device to asecond security device over a DAC-ADC interface and a response sent fromthe second security device to the first security device over a DAC-ADCinterface;

FIG. 14 is a block diagram of an example embodiment where anauthentication challenge is sent over an internal DAC-ADC interface of afirst security device for self-authentication and a result of theself-authentication is sent from the first security device to a secondsecurity device over the serial interface;

FIG. 15 is a block diagram of an example embodiment where anauthentication challenge is sent from a first security device to asecond security device over a GPO-ADC interface and a response is sentfrom the second security device to the first security device over theserial interface;

FIG. 16 is a block diagram of an example embodiment where anauthentication challenge is sent from a first security device to asecond security device over a GPO-GPI interface and a response is sentfrom the second security device to the first security device over theserial interface;

FIG. 17 is a block diagram of an example embodiment where anauthentication challenge is sent from a first security device to asecond security device over a GPO-GPI interface and a response is sentfrom the second security device to the first security device over aGPO-GPI interface; and

FIG. 18 is a block diagram of an example embodiment where anauthentication challenge is sent over an internal GPO-GPI interface of afirst security device for self-authentication and a result of theself-authentication is sent from the first security device to a secondsecurity device over the serial interface.

DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS

The present disclosure provides analog methods to authenticate supplyitems that are based on placing integrated circuits with analog circuittechnology, such as analog-to-digital converters (ADC),digital-to-analog converters (DAC), and operational amplifiers (OPAMP),on supply items and using these analog circuit features as part of theauthentication process. Because these analog circuits have uniquecharacteristics that are not easily copied with exactness (such assignal to noise ratio, offset and gain error, integral non-linearity,differential non-linearity, quantization error, analog voltage range,conversion rate, and digitized resolution), it is possible to improvethe security of authentication of supply items by using integratedcircuits with analog features that provide higher resistance to beingreverse engineered and copied than by only using security chips withdigital features.

With reference to FIG. 1 , a diagrammatic view of an imaging system 10is shown according to an example embodiment. Imaging system 10 includesan imaging device 15 used for printing images on sheets of media. Imagedata of the image to be printed on a media sheet may be supplied toimaging device 15 from a variety of sources such as a computer 20,laptop 25, mobile device 30, scanner 35, or like computing device. Thesources directly or indirectly communicate with imaging device 15 viawired and/or wireless connections. Imaging device 15 includes acontroller 40 and a user interface 45. Controller 40 may include aprocessor and associated memory. In some example embodiments, controller40 may be formed as one or more Application Specific Integrated Circuits(ASICs) or System-on-Chips (SoCs). Controller 40 may control theprocessing of print data. Controller 40 may also control the operationof a print engine during printing of an image onto a sheet of media.

In one example embodiment, imaging device 15 employs an electronicauthentication scheme to authenticate consumable supply items and/orreplaceable units installed in imaging device 15. In FIG. 1 , arepresentative supply item 55, such as a toner cartridge or an imagingunit, is shown. Supply item 55 may be installed in a correspondingstorage area 57 in imaging device 15. Supply item 55 includes anintegrated circuit chip or security device 60 that communicates withcontroller 40 in imaging device 15. Controller 40 may initiateauthentication challenges to verify authenticity of supply items 55. Theauthenticity is verified if the supply item 55 being authenticatedgenerates an expected response to the authentication challenge.Otherwise, the supply item 55 may be detected as a clone or counterfeitand appropriate actions may be taken to protect against the use ofsupply item 55 in order to optimize performance of and/or prevent damageto imaging device 15.

FIG. 2 illustrates a shared bus system 65 in which controller 40communicates with a number of security devices 60 in imaging device 15and supply items 55. In the embodiment illustrated, controller 40includes a System-on-Chip (SoC) 70 including a processor 72. SoC 70initiates and controls passing of communications including data,addresses, clock signals, and other control signals on a shared bus 80.Shared bus system 65 may employ the Inter-Integrated Circuit (“I2C”)protocol, although many other protocols can be utilized. One wire 82 ofshared bus 80 carries data in a bidirectional manner, and the other wire83 carries clock signals. While shared bus 80 is illustrated as atwo-wire serial bus, shared parallel bus structures or other wiredstructures may be utilized in other example embodiments. In yet otherexample embodiments, structures that facilitate communication betweencontroller 40 and supply items 55 may operate using wireless technology.

Host Firmware 75 running in SoC 70 is configured to initiateauthentication methods for validating authenticity of one or more ofsecurity devices 60. To initiate authentication, SoC 70 is configured tocommand one security device 60 to generate an authentication challengeand send the authentication challenge to another security device 60 thatis to be authenticated. Hereinafter, a security device 60 that receivesa command from SoC 70 to generate an authentication challenge may bereferred to as a security device challenge source 60, and a securitydevice 60 to be authenticated may be referred to as a security deviceunder authentication 60.

In the embodiment illustrated, security devices 60 are placed on supplyitem(s) 55 and on controller 40. Each security device 60 includes afirst analog circuit 62 for converting one or more digital values intoan analog signal and a second analog circuit 63 for converting an analogsignal into one or more digital values. Using the first analog circuit62 from one security device 60 (i.e., a security device challenge source60), a random analog signal may be generated as an authenticationchallenge, where the analog signal is random in amplitude (voltage),frequency, and duration. The authentication challenge is sent to anothersecurity device 60 (i.e., a security device under authentication 60)which generates a response to the authentication challenge by using itssecond analog circuit 63 to convert the received analog signal into oneor more digital values during a measurement interval. The measurementinterval may begin with a programmable start condition and end after aprogrammable duration. A derivative of the converted digital values(which may be any arithmetical or logical transformation of theconverted digital values) is captured as the actual response, and anauthentication algorithm is used to compare the actual response to anexpected response.

The expected response may be dynamically generated/computed orpredetermined and statically stored in memory. A predetermined thresholdmay be used to verify the authenticity of a security device 60 on supplyitem 55 and/or on controller 40. For example, the security device underauthentication 60 may be determined to be authentic when the comparisonof the actual response with the expected response exceeds thepredetermined threshold. Otherwise, the security device underauthentication 60 may be determined to be non-authentic when thecomparison does not exceed the predetermined threshold. Alternatively,reverse logic may be used for the comparison as desired. Host SoC 70 maycommand any of security devices 60 to generate an authenticationchallenge and send the generated authentication challenge to any of theother security devices 60. Accordingly, the authentication protocol maybe any combination of one-way authentication, mutual authentication, andself-authentication, as discussed in greater detail below.

The analog signal that is generated by a security device challengesource 60 and sent as an authentication challenge to a security deviceunder authentication 60 may be any DC signal (voltage varying in timefrom 0 volts to only a positive voltage, or from 0 volts to only anegative voltage) or AC signal (voltage varying in time from a negativevoltage to a positive voltage) that may be generated with anycombination of one or more analog circuits, such as (but not limited to)an output buffer, a digital-to-analog converter, or an operationalamplifier and passive components (resistor, inductor, capacitor). Manydifferent types of DC and AC analog signals may be generated as anauthentication challenge including (but not limited to) voltagewaveforms that are known in the art such as a square wave, ramp wave,triangle wave, sawtooth wave, pulse width modulated wave, rectifiedwave, sine wave, or complex wave, etc.

FIG. 3 shows a first analog signal 90 used as an example authenticationchallenge. In this example, first analog signal 90 is a DC ramp wavethat varies in 1 volt/second increments every other second with apeak-to-peak amplitude of 0 volts to 3 volts and having a period of 12seconds. FIG. 4 shows a second analog signal 95 used as another exampleauthentication challenge. In this example, analog signal 95 is an ACramp wave that varies in 1 volt/second increments every other secondwith a peak-to-peak amplitude of −3 volts to 3 volts and a having aperiod of 24 seconds.

The security device 60 that receives an analog signal as anauthentication challenge is configured to generate a correct response byaccurately converting the analog signal into one or more digital values,and then correctly computing an arithmetical or logical operation oneach converted digital value. To accurately convert the analog signalinto the expected set of digital values, each security device 60includes an input buffer circuit or an analog to digital convertercircuit (see, for example, FIGS. 12-18 ) with specifications that matchthe characteristics of the analog signal. Example characteristics mayinclude, but are not limited to, an input voltage range that matches apeak-to-peak range of analog signal, a sample frequency and conversionrate that is at least twice the highest frequency contained in theanalog signal, a digital output resolution that matches the expectedresolution, and compensation for offset, gain, and linearity conversionerror. To compute the correct arithmetical or logical operation on theconverted digital value, the security device 60 includes circuitrycapable of executing arithmetical or logical operations according toparameters sent by the command from SoC 70 or parameters stored in thesecurity device 60. Example arithmetical or logical operations mayinclude, but are not limited to, a no-operation (no calculation), anaddition, a subtraction, a multiplication, a division, anexponentiation, a logical shift, or an arithmetic shift.

As an example, an authentic security device 60 may include circuitry,such as an analog to digital converter (ADC) seen in FIGS. 12-18 ,capable of sampling the analog signal authentication challenges 90, 95in FIGS. 3 and 4 at a rate of one sample every one-half second and/orcapable of near zero conversion error in order to be capable ofgenerating correctly converted signals 100, 105 shown in FIGS. 5 and 6 ,respectively, where the discrete samples are represented by the “dots”in the graph. An authentic security device 60 may include a rectifiercircuit (not shown) of any kind that converts an AC signal into a DCsignal before converting the rectified signal into a digital outputconsisting of only positive or negative voltages (including zero). Theconverted digital output may be enhanced by several techniques known inthe art including, but not limited to, oversampling, averaging,interpolation, or decimation. After conversion and enhancement, theauthentic security device 60 is configured to perform an arithmetical orlogical computation on each digital value according to parameters storedin the security device to produce the correct response to the challenge.

In this example, an authentic security device 60 will be able togenerate an actual response corresponding to the converted signal 100shown in FIG. 5 in response to the DC analog signal authenticationchallenge 90 shown in FIG. 3 where no-operation is computed on theconverted digital values. The actual response is illustrated as “dots”on the graph in FIG. 5 and consists of a data set of twenty-five 16-bitdigital values at or very close to 0, 0, 0, 0.5, 1, 1, 1, 1.5, 2, 2, 2,2.5, 3, 3, 3, 2.5, 2, 2, 2, 1.5, 1, 1, 1, 0.5, 0 volts within ameasurement interval from 0 seconds to 12 seconds. Similarly, in theabove example, the authentic security device 60 will be able to generatean actual response corresponding to the converted signal 105 shown inFIG. 6 in response to the AC analog signal authentication challenge 95shown in FIG. 4 where no-operation is computed on the converted digitalvalues. The actual response is illustrated as “dots” on the graph inFIG. 6 and consists of a data set of forty-nine 16-bit digital values ator very close to 0, 0, 0, 0.5, 1, 1, 1, 1.5, 2, 2, 2, 2.5, 3, 3, 3, 2.5,2, 2, 2, 1.5, 1, 1, 1, 0.5, 0, 0, 0, −0.5, −1, −1, −1, −1.5, −2, −2, −2,−2.5, −3, −3, −3, −2.5, −2, −2, −2, −1.5, −1, −1, −1, −0.5, 0 voltswithin a measurement interval from 0 seconds to 24 seconds.

The expected response of an authentic security device 60 to an analogsignal authentication challenge may be predetermined by characterizationand statically stored in memory or computed dynamically by firmware.Alternatively, the expected response may be generated dynamically fromthe response of a trusted instance of the same security device. Whenpredetermined, one or more challenge/response pairs may be combined withother device specific information (such as a serial number of the supplyitem) and signed with a digital signature algorithm (such as EllipticCurve Digital Signature Algorithm or ECDSA) and encrypted with anencryption algorithm (such as Advanced Encryption Standard or AES), andboth signature and encrypted result may be stored in a non-volatilememory (NVM).

In the above example, the expected response of an authentic securitydevice 60 to the DC analog signal authentication challenge 90 shown inFIG. 3 where no-operation is computed on the converted digital valuesconsists of a data set of twenty-five 16-bit digital values representing0, 0, 0, 0.5, 1, 1, 1, 1.5, 2, 2, 2, 2.5, 3, 3, 3, 2.5, 2, 2, 2, 1.5, 1,1, 1, 0.5, 0 volts within the measurement interval from 0 seconds to 12seconds. Similarly, in the above example, the expected response of anauthentic security device 60 to the AC analog signal authenticationchallenge 95 shown in FIG. 4 where no-operation is computed on theconverted digital values consists of a data set of forty-nine 16-bitdigital values representing 0, 0, 0, 0.5, 1, 1, 1, 1.5, 2, 2, 2, 2.5, 3,3, 3, 2.5, 2, 2, 2, 1.5, 1, 1, 1, 0.5, 0, 0, 0, −0.5, −1, −1, −1, −1.5,−2, −2, −2, −2.5, −3, −3, −3, −2.5, −2, −2, −2, −1.5, −1, −1, −1, −0.5,0 volts within the measurement interval from 0 seconds to 24 seconds.

The actual response of an authentic security device 60 to an analogsignal authentication challenge and the expected response of anauthentic security device 60 may differ slightly due to part to partvariation of each instance of the same security device, but a highdegree of statistical correlation may be seen when the data set of theresponse is compared with the data set of the expected response using anauthentication algorithm such as the Pearson Correlation Coefficient.For example, a predetermined threshold, such as a Pearson CorrelationCoefficient of 0.8 or greater, may be used for authentication. In thisexample, a resulting statistical correlation value less than thethreshold of 0.8 indicates a weaker strength of association between theactual response and the expected response, whereas a resultingstatistical correlation value greater than or equal to the threshold of0.8 indicates a stronger strength of association between the actualresponse and the expected response. If the result of the correlationbetween the actual response of an authentic security device and theexpected response of an authentic security device passes thepredetermined threshold, the authentic security device may be identifiedand authenticated.

However, a non-authentic security device is expected to have analogcircuit characteristics that vary significantly from an authenticsecurity device 60. These variances may manifest themselves in an actualresponse to an analog signal authentication challenge that will not bestatistically correlated with the expected response of an authenticsecurity device 60 using the same predetermined threshold, such as thePearson Correlation Coefficient of 0.8 in the above example. Forexample, a non-authentic security device may contain an analog todigital converter incapable of sampling and converting analog signalauthentication challenges in the same way an authentic security device60 does, such as at a rate of one sample every one-half second and/ornear zero conversion error in the above example, resulting inincorrectly converted signals. FIGS. 7 and 8 respectively show exampleconverted signals 110, 115 from a non-authentic security device inresponse to authentication challenges 90 and 95, respectively, whichdeviate from correctly converted signals 100, 105 shown in FIGS. 5 and 6, respectively. In these examples, the analog to digital converter inthe non-authentic security device has an inadequate sample frequency andconversion rate of one sample every two seconds and an inadequateconversion error of one volt offset error and, as a result, is unable toconvert the analog signal with the required accuracy.

In this example, a non-authentic security device with inadequate analogcircuit capabilities may generate response 110 shown in FIG. 7 to the DCanalog signal authentication challenge 90 shown in FIG. 3 whereno-operation is computed on the converted digital values. The response110 is illustrated as “dots” (sampled from an incorrectly convertedsignal 112) on the graph in FIG. 7 and may consist of a data set ofseven 16-bit digital values close to 1, 2, 3, 4, 3, 2, 1 volts withinthe measurement interval from 0 seconds to 12 seconds. Similarly, inthis example, a non-authentic security device with inadequate analogcircuit capabilities may generate response 115 shown in FIG. 8 to the ACanalog signal authentication challenge 95 shown in FIG. 4 whereno-operation is computed on the converted digital values. The response115 is illustrated as “dots” (sampled from an incorrectly convertedsignal 117) on the graph in FIG. 8 and may consist of a data set ofthirteen 16-bit digital values close to 1, 2, 3, 4, 3, 2, 1, 0, −1, −2,−1, 0, 1 volts within the measurement interval from 0 seconds to 24seconds. It may be seen by observation of FIGS. 7 and 8 that even usinginterpolation between consecutive discrete samples, the convertedwaveforms 113, 118 produced by a non-authentic device is a triangle wavewith one volt offset error instead of a multi-amplitude ramp wave withzero volt offset error produced by an authentic security device.

As a result, a non-authentic security device will not be able to convertthe analog signal authentication challenge into a one or more digitalvalues and/or be able to compute the correct arithmetical or logicaloperation on the converted digital values to generate a response withsufficient accuracy to produce a high degree of statistical correlationwhen the data set of the actual response is compared with the data setof the expected response using an authentication algorithm, such as thePearson Correlation Coefficient. In this case, the result of thecorrelation between the actual response of a non-authentic securitydevice and the expected response of an authentic security device 60 willnot pass a predetermined threshold, such as the Pearson CorrelationCoefficient of 0.8 or greater discussed above, used for authenticationand the non-authentic security device may be identified as counterfeitand not be authenticated.

Various embodiments of the methods will now be described, but theexamples provided herein should not be viewed as exhaustive as there aremany embodiments that may be used to authenticate security devices usinganalog circuit technology disclosed herein and all combinations of theseelements are considered embodiments herein. For example, the analogcircuits used to generate an analog signal challenge and generate theresponse may be integrated in the SoC 70, or they may consist of one ormore discrete components placed on a printed circuit board in imagingdevice 15 or supply item 55 that may be electrically connected in one ormore ways. These components may also have one or more uniquespecifications such as analog voltage range, conversion rate, anddigital resolution.

Additionally, many different authentication algorithms (such as PearsonCorrelation Coefficient) and predetermined thresholds may be used toauthenticate security devices and these authentication algorithms may beperformed by firmware executing on a security device or an SoC. Further,the authentication of security devices disclosed herein may use one-wayauthentication protocol, mutual-authentication protocol, orself-authentication protocol in any of the following ways.

-   -   A security device on a controller may authenticate a security        device on a supply item (one-way authentication).    -   A security device on a supply item may authenticate a security        device on a controller (one-way authentication).    -   A security device on a controller and a security device on a        supply item may authenticate each other (mutual authentication).    -   A security device on a first supply item may authenticate        another security device on a second supply item (one-way        authentication).    -   A security device on a first supply item and another security        device on a second supply item may authenticate each other        (mutual authentication).    -   A security device on a controller may authenticate itself        (self-authentication).    -   A security device on a supply item may authenticate itself        (self-authentication).

FIG. 9 illustrates an example method of one-way authentication where asecurity device 60 on controller 40 authenticates a security device 60on a supply item 55. Hereinafter, the security device placed oncontroller 40 may be referred to as system security device 60 and thesecurity device placed on a supply item 55 may be referred to as supplysecurity device 60. At block 120, system security device 60 oncontroller 40 generates an authentication challenge by computing arandom analog signal and sends the (analog signal) challenge to supplysecurity device 60 on supply item 55. The random analog signal generatedas an authentication challenge may be random in amplitude (voltage),frequency, and/or duration. For example, the authentication challengemay be generated by generating one or more random numbers with apredetermined size and using the generated one or more random numbers asone or more indexes into a table of parameters stored in memory, whereeach entry in the table contains one or more parameters. The one or moreparameters may then be used to configure an analog circuit, such as adigital-to-analog converter, a general-purpose-output, and a voltagelevel translator (discussed in greater detail in the examples below), togenerate a random analog signal that varies in amplitude, frequency, andduration based on the one or more parameters. The digital-to-analogconverter, general-purpose-output or voltage level translator may becircuits including one or more discrete components or a unit integratedinto a component.

At block 122, supply security device 60 generates an actual responseupon receiving the analog signal challenge from system security device60 and sends the actual response to system security device 60. Supplysecurity device 60 may generate the actual response by converting theanalog signal challenge into one or more digital values during ameasurement interval, wherein the measurement interval begins with aprogrammable start condition and ends after a programmable duration.Supply security device 60 may be configured to compute an arithmetic orlogical derivative of the one or more digital values, and capture thecomputed derivative of the digital values as the actual response. Forexample, the actual response may be generated by using one or moreparameters stored in memory to configure an analog circuit, such asanalog-to-digital converter, a general-purpose-input, and a voltagelevel translator (discussed in greater detail in the examples below), toconvert the analog signal challenge into one or more digital valuesduring a measurement interval, where the measurement interval isdetermined by one or more parameters stored in NVM, and to capture aderivative of the digital values as the response. The derivative may beany arithmetical or logical transformation of the converted digitalvalues, where the number, frequency, resolution, and truncation of thedigital values of the response are determined by one or more parametersstored in memory. The analog-to-digital converter, general-purpose-input(GPI), and voltage level translator may be circuits including one ormore discrete components or a unit integrated into a component. Eachsecurity device may generate the same or a different response to thesame challenge based on configuration parameters stored in memory.

At block 124, system security device 60 generates an expected responseby dynamically computing or generating the expected response and/or byreading the expected response as a predetermined value from memory. Forexample, the expected response may be generated by reading from apredetermined finite number of expected responses statically stored innon-volatile memory on the controller 40 or on the security device 60.Alternatively, the expected responses may be stored in a cloud databaseindexed by a finite size hash of device specific information andaccessed by the controller 40 through a secure network connection. Inanother example, where a security device on the controller 40 and asecurity device on the supply item 55 are instances of the same securitydevice, the expected response of a first security device to anauthentication challenge may be dynamically generated by generating thesame response of a second security device using the same analog signalchallenge and the same response computation as was used for the firstsecurity device. As an example, SoC 70 may command system securitydevice 60 a and supply security device 60 b to each generate an analogresponse to an authentication challenge with the same parameters. SoC 70may then measure each of the responses from the system security device60 a and supply security device 60 b and compare them. If systemsecurity device 60 a is considered as the reference, the response fromsystem security device 60 a is set as the expected response and theresponse from supply security device 60 b must match the response fromsystem security device 60 a within margins for supply security device 60b to be considered authentic.

At block 126, system security device 60 verifies the actual responsereceived from supply security device 60 by comparing the actual responsewith the expected response using a statistical correlation algorithm anda predetermined threshold. For example, the actual response and theexpected response may be compared using Pearson correlationcoefficients. With a Pearson correlation coefficient of 0.8 used as apredetermined threshold, for example, a correlation computation betweenthe actual response and the expected response that results in a Pearsoncorrelation coefficient below 0.8 may indicate a relatively weakrelationship between the actual response and the expected response. Onthe other hand, a correlation computation between the actual responseand the expected response that results in a Pearson correlationcoefficient equal to or greater than 0.8 may indicate a relativelystrong relationship between the actual response and the expectedresponse.

At block 128, a determination is made whether the actual response ofsupply security device 60 matches the expected response. For instance,in the above example, it may be determined that the actual response doesnot match the expected response if the resulting Pearson correlationcoefficient of the correlation computation is less than thepredetermined threshold of 0.8. Otherwise, if the correlationcomputation results in a Pearson correlation coefficient that is greaterthan or equal to the predetermined threshold of 0.8, it may bedetermined that the actual response of the supply security devicematches the expected response.

When it is determined at block 128 that the actual response matches theexpected response, an indication may be made that supply security device60 (and, consequently, supply item 55) is authentic at block 130.Otherwise, when it is determined at block 128 that the actual responsedoes not match the expected response, an indication may be made thatsupply security device 60 (and, consequently, supply item 55) isnon-authentic at block 132. One or more enforcement actions may beperformed to protect against the use of the non-authentic supply itemand/or prevent damage to imaging device 15. For example, the enforcementaction may include preventing use of the non-authentic supply item inimaging device 15 and/or notifying the user that anon-authentic/unsupported supply item is installed.

FIG. 10 illustrates an example method of one-way authentication where asupply security device 60 on supply item 55 authenticates systemsecurity device 60 on controller 40. It is noted that the sametechniques and operations described above with respect to FIG. 9 may beused in this example when applicable. At block 140, supply securitydevice 60 on supply item 55 generates an authentication challenge bycomputing a random analog signal and sends the challenge to systemsecurity device 60 on controller 40. Upon receiving the challenge fromsupply security device 60, system security device 60 generates an actualresponse by converting the analog signal into one or more digital valuesand computing an arithmetic or logical derivative, and sends the actualresponse to supply security device 60 at block 142. At block 144, supplysecurity device 60 generates an expected response by dynamicallycomputing or generating the expected response, and/or by reading theexpected response as a predetermined value from memory in the samemanner as discussed above with respect to FIG. 9 . In another example,for instances where security devices 60 are instances of the samesecurity device, a second security device may be used to generate ananalog response to the same authentication challenge with the sameparameters and such analog response may be used as the expected responseof the first security device. At block 146, supply security device 60verifies the actual response received from system security device 60 bycomparing the actual response with the expected response using astatistical correlation algorithm and a predetermined threshold. Atblock 148, a determination is made whether the actual response of systemsecurity device 60 matches the expected response. When it is determinedat block 148 that the actual response matches the expected response, anindication may be made that system security device 60 (and,consequently, controller 40) is authentic at block 150. Otherwise, whenit is determined at block 148 that the actual response does not matchthe expected response, an indication may be made that system securitydevice 60 (and, consequently, controller 40) is non-authentic at block152. One or more enforcement actions may be performed to protect againstthe use of the non-authentic controller.

In the example shown in FIG. 10 , one-way authentication is performedfor instances where a supply security device 60 on supply item 55authenticates system security device 60 on controller 40. In otherembodiments, a supply security device 60 on supply item 55 mayauthenticate a supply security device 60 on another supply item 55(instead of system security device 60 on controller 40) by applying thesame method discussed above with respect to FIG. 10 . In particular, thesupply security device 60 on a first supply item 55 may generate anauthentication challenge and send the authentication challenge toanother supply security device 60 on a second supply item 55. In turn,the supply security device 60 on the second supply item 55 may generatea response and send the response to the security device 60 on the firstsupply item 55. Verification of the response may then be performed usingthe same techniques and operations discussed above.

FIG. 11 illustrates an example method of self-authentication where asupply security device 60 on supply item 55 authenticates itself. It isnoted that the same techniques and operations described above withrespect to FIG. 9 may be used in this example when applicable. At block160, supply security device 60 generates an authentication challenge bycomputing a random analog signal and sends the challenge to itself. Atblock 162, supply security device 60 generates an actual response byconverting the analog signal into one or more digital values andcomputing an arithmetic or logical derivative, and sends the actualresponse to itself. At block 164, supply security device 60 generates anexpected response by dynamically computing or generating the expectedresponse and/or by reading the expected response as a predeterminedvalue from memory. At block 166, supply security device 60 verifies theactual response by comparing the actual response with the expectedresponse using a statistical correlation algorithm and a predeterminedthreshold. At block 168, a determination is made whether the actualresponse matches the expected response. When it is determined at block168 that the actual response matches the expected response, anindication may be made that supply security device 60 (and,consequently, supply item 55) is authentic at block 170. Otherwise, whenit is determined at block 168 that the actual response does not matchthe expected response, an indication may be made that supply securitydevice 60 (and, consequently, supply item 55) is non-authentic at block172. One or more enforcement actions may be performed to protect againstthe use of the non-authentic supply item. The same method may be appliedby system security device 60 on controller 40 for authenticating itself.

Analog authentication schemes have been described above that may be usedto authenticate security devices 60. Presented below, with reference toFIGS. 12-18 , are specific examples and methodologies executed onsecurity devices 60 that may be used for analog authentication, such asbetween security devices 60 in imaging device 15 and supply items 55. Inthe examples shown, instances of the same security device are placed oncontroller 40 and on each supply item 55. The security devices aregenerally designated as security devices 60, but the security deviceplaced on controller 40 has been designated as system security device 60a and each security device placed on each supply item 55 has beendesignated as supply security device 60 b for ease of description. Eachsecurity device 60 may include an I²C master serial interface (I2CM)unit 265 and an I²C slave serial interface (I2CS) unit 260, amicrocontroller (MCU) unit 240, an encryption (ENC) unit 250 and adecryption (DEC) unit 255, a non-volatile memory (NVM) 245, ageneral-purpose-input (GPI) unit 280, a general-purpose-output (GPO)unit 285, an analog-to-digital converter (ADC) unit 270 and adigital-to-analog-converter (DAC) unit 275. SoC 70 in controller 40 mayinclude a central processing unit (CPU) 200, an NVM 205, an I2CM unit210, an I2CS unit 215, an ADC unit 220, a DAC unit 225, a GPI unit 230,and a GPO unit 235. In the embodiment illustrated, SoC 70 directlycommunicates with system security device 60 a while communicationbetween SoC 70 and supply security devices 60 b go through systemsecurity device 60 a. In other embodiments, SoC 70 may directlycommunicate with all security devices 60 including system securitydevice 60 a and supply security devices 60 b, such as via a shared bus.

DAC-ADC Serial (Authentication Challenge Sent Over DAC-ADC Interface,Response Sent Over Serial Interface)

In the embodiment shown in FIG. 12 , I2CM unit 210 of SoC 70 isconnected to the I2CS unit 260 of system security device 60 a and theI2CM unit 265 of system security device 60 a is connected to the I2CSunit 260 of each supply security device 60 b. In addition, the output ofDAC unit 275 of system security device 60 a is connected to the input ofADC unit 270 of each supply security device 60 b, and the output of DACunit 275 of each supply security device 60 b is connected to the inputof ADC unit 270 of system security device 60 a, either directly orthrough a multiplexor (MUX) 295. In this embodiment, the authenticationof supply security devices 60 b on supply items 55 uses both digital andanalog authentication methods described in some detail below.

Digital authentication consists of the host SoC 70 commanding, forexample, the system security device 60 a to generate a randomcryptographic challenge and to send the challenge to a supply securitydevice 60 b. The supply security device 60 b receives the challenge andgenerates a response using a cryptographic algorithm and shared secretkey, known only to the system and supply security devices 60. The supplysecurity device 60 b returns the response to the system security device60 a that verifies the response by using a cryptographic algorithm andshared secret key, to determine the authenticity of each supply securitydevice 60 b on supply item 55. The system security device 60 a thencommunicates the verification result to the SoC 70 for further action.Since the challenge, response, and result are computed and communicateddigitally over the serial interface, this type of digital authenticationproduces a completely deterministic result (i.e., execution will alwaysproduce the same result under the same circumstances and/or inputs).

Analog authentication consists of the host SoC 70 commanding, forexample, the system security device 60 a to generate an authenticationchallenge consisting of an analog signal that may vary in amplitude,frequency, and/or duration. Firmware on the system security device 60 agenerates the authentication challenge using parameters stored in itsNVM 245 to configure and control its DAC unit 275 to output an analogsignal that is connected to the input of the ADC unit 270 of the supplysecurity device 60 b. Firmware on the supply security device 60 bgenerates a response using parameters stored in its NVM 245 to define ameasurement interval. The ADC unit 270 of the supply security device 60b is configured to convert the analog signal at its input into one ormore digital values during the measurement interval. A derivative of thedigital values is captured as the response. As before, the derivativemay be any arithmetical operation or logical transformation performed onthe converted digital values which may be based on one or moreparameters and/or instructions stored in memory. The response is sentfrom the supply security device 60 b to the system security device 60 aover the serial interface.

The system security device 60 a verifies the response from the supplysecurity device 60 b (or sends the response to the SoC 70 to verify) bycomparing it to an expected response (that is dynamically computed orpredetermined and statically stored in memory) using a statisticalalgorithm and predetermined threshold to determine the authenticity ofthe supply security device 60 b on supply item 55. The system securitydevice 60 a then communicates the verification result to the SoC 70 forfurther action. Since the challenge is an analog signal and the responseis a digitized value with finite quantization error, this type of analogauthentication produces a statistical result and uses a predeterminedthreshold for verification.

For both the digital and analog challenge/response authentication, thedigital communication between the master and slave devices over theserial interfaces may be encrypted and authenticated with cryptographicprotocols using one-way authentication (SoC 70 authenticates systemsecurity device 60 a and system security device 60 a authenticatessupply security device 60 b) or mutual authentication (SoC 70 and systemsecurity device 60 a authenticate each other, and system security device60 a and supply security device 60 b authenticate each other).

The analog challenge/response authentication between the securitydevices 60 over the analog interfaces (DAC-to-ADC and ADC-to-DAC) may beone-way authentication (system security device 60 a authenticates supplysecurity device 60 b), mutual authentication (system security device 60a and supply security device 60 b authenticate each other), orself-authentication (system security device 60 a authenticates itselfand supply security device 60 b authenticates itself).

Additional embodiments are described below, but these additionalembodiments should not be viewed as exhaustive. It should also beunderstood that all previous descriptions may apply in whole or in partto these additional embodiments.

DAC-ADC Wrap (Authentication Challenge Sent Over DAC-ADC Interface,Response Sent Over DAC-ADC Interface)

In the embodiment shown in FIG. 13 , all components are placed andconnected as described for the embodiment shown in FIG. 12 , but analogauthentication differs as follows. Instead of a digital response beingsent from the supply security device 60 b to the system security device60 a over the serial interface, an analog response is sent over theconnection between the output of the DAC unit 275 of the supply securitydevice 60 b and the input of the ADC unit 270 of the system securitydevice 60 a. This results in an analog signal loop where the challengeis sent from the output of the DAC unit 275 of the system securitydevice 60 a to the input of the ADC unit 270 of the supply securitydevice 60 b, and the response is sent from the output of the DAC unit275 of the supply security device 60 b to the input of the ADC unit 270of the system security device 60 a.

Analog authentication consists of the host SoC 70 commanding, forexample, the system security device 60 a to generate an authenticationchallenge consisting of an analog signal that may vary in amplitude,frequency, and/or duration. Firmware on the system security device 60 agenerates the authentication challenge using parameters stored in theNVM to configure and control the DAC unit 275 to output a first analogsignal that is connected to the input of the ADC unit 270 of the supplysecurity device 60 b. Firmware on the supply security device 60 bgenerates a first response using parameters stored in the NVM to definea first measurement interval and to configure the ADC unit 270 toconvert the first analog signal into one or more digital values duringthe first measurement interval. A derivative of the digital values iscaptured as the first response.

Firmware on the supply security device 60 b generates a second analogsignal using the first response and parameters stored in the NVM toconfigure and control the DAC unit 275 to output the second analogsignal that is connected to the input of the ADC unit 270 of the systemsecurity device 60 a. The firmware on the system security device 60 agenerates a second response using parameters stored in the NVM to definea second measurement interval and to configure the ADC unit 270 toconvert the second analog signal into one or more digital values duringthe second measurement interval. A derivative of the digital values iscaptured as the second response.

The second response is verified by the system security device 60 a (orsent to the SoC 70 to verify) as previously described, and the result iscommunicated over the serial interface to the SoC 70 for further action.

Internal Wrapback Self-Authentication (Authentication Challenge SentOver Internal DAC-ADC Interface for Self-Authentication, Result SentOver Serial Interface)

In the embodiment shown in FIG. 14 , all components are placed andconnected as described for the embodiment shown in FIG. 13 , but analogauthentication differs as follows. Instead of the analog signal beinggenerated and sent by one security device to another security deviceover the external analog connection (DAC-to-ADC), the analog signal isgenerated and sent by a security device to itself over an internalanalog connection (DAC-to-ADC). This enables a security device toself-authenticate itself and communicate the result over the serialinterface.

Analog authentication begins with the host SoC 70 commanding, forexample, the system security device 60 a to self-authenticate itself andto command a supply security device 60 b to self-authenticate itself.The supply security device 60 b internally connects the output of itsDAC unit 275 to the input of its ADC unit 270 and disconnects them fromtheir external connections. The supply security device 60 b thengenerates a random challenge, generates a response, and verifies theresponse as previously described to self-determine its authenticity. Thesupply security device 60 b communicates the result of the of theself-authentication to the system security device 60 a over the serialinterface and the system security device 60 a communicates the resultsof the self-authentication over the serial interface to the SoC 70 forfurther action.

GPO-ADC Serial (Authentication Challenge Sent Over GPO-ADC Interface,Response Sent Over Serial Interface)

In the embodiment shown in FIG. 15 , all components are placed asdescribed for the embodiment shown in FIG. 12 , but analogauthentication differs as follows. Instead of an analog signal beinggenerated at the output of the DAC unit 275 of a security device 60, theanalog signal is generated at the GPO unit 285 of a security device 60that is connected to the input of the ADC unit 270 of another securitydevice 60 either directly or through MUX 295 and/or a programmablevoltage level translator (VLT) 300. VLT 300, for example, may include aconfigurable resistor divider for varying the amount of output voltagesin a controlled manner, and/or circuitry capable of setting differentvoltages based on signals from GPO 285. In this configuration, VLT 300takes in signals from GPO 285 and converts the signals into amulti-level analog signal based on its programmed configuration. Themulti-level analog signal at the output of VLT 300 is then used as theauthentication challenge. VLT 300 may be implemented with an externalcomponent or any combination of external components relative to securitydevice 60, or integrated in the security device 60 as part of GPO 285.

Analog authentication consists of the host SoC 70 commanding, forexample, the system security device 60 a to generate an authenticationchallenge consisting of an analog signal that may vary in amplitude,frequency, and/or duration. Firmware on the system security device 60 agenerates the authentication challenge using parameters stored in theNVM to configure the programmable VLT 300 to set the amplitude of theanalog signal and to set the frequency and duration of the analog signalusing a pattern generator (any combination of hardware and firmware) tocontrol the hardware of the GPO unit 285 and VLT 300 to output theanalog signal that is connected to the input of the ADC unit 270 of thesupply security device 60 b. Firmware on the supply security device 60 bgenerates a response using parameters stored in the NVM to define ameasurement interval and to configure the ADC unit 270 to convert theanalog signal at the input of the ADC unit 270 into one or more digitalvalues during the measurement interval. A derivative of the digitalvalues is captured as the response. The response is sent from the supplysecurity device 60 b to the system security device 60 a over the serialinterface where it is verified as previously described, and the resultis communicated over the serial interface to the SoC 70 for furtheraction.

GPO-GPI Serial (Authentication Challenge Sent Over GPO-GPI Interface,Response Sent Over Serial Interface)

In embodiment shown in FIG. 16 , all components are placed as describedfor the embodiment shown in FIG. 15 , but analog authentication differsas follows. Instead of the generated analog signal being sent to theinput of the ADC unit 270 of another security device 60, the analogsignal is sent to the GPI unit 280 of another security device 60 eitherdirectly or through MUX 295 and/or programmable VLT 300. In thisexample, the analog authentication challenge generated by systemsecurity device 60 a may include a random serial pattern that isserially shifted across the GPO 285 of system security device 60 a tothe GPI 280 of supply security device 60 b using VLT 300. Supplysecurity device 60 b is configured to capture the serial pattern of theauthentication challenge from VLT 300 and generate a response bycomputing an arithmetic or logic operation on the authenticationchallenge.

Analog authentication consists of the host SoC 70 commanding, forexample, the system security device 60 a to generate an authenticationchallenge consisting of an analog signal that may vary in amplitude,frequency, and/or duration. Firmware on the system security device 60 agenerates the authentication challenge using parameters stored in theNVM to configure programmable VLT 300 to set the amplitude of the analogsignal and to set the frequency and duration of the analog signal usinga pattern generator (any combination of hardware and firmware) tocontrol the hardware of the GPO unit 285 and VLT 300 to output theanalog signal that is connected to the GPI unit 280 of the supplysecurity device 60 b. Firmware on the supply security device 60 bgenerates a response using parameters stored in the NVM to define ameasurement interval and to configure the GPI unit 280 to convert theanalog signal into one or more digital values during the measurementinterval. A derivative of the digital values is captured as theresponse. The response is sent from the supply security device 60 b tothe system security device 60 a over the serial interface where it isverified as previously described, and the result is communicated overthe serial interface to the SoC 70 for further action.

GPO-GPI Wrap (Authentication Challenge Sent Over GPO-GPI Interface,Response Sent Over GPO-GPI Interface)

In the embodiment shown in FIG. 17 , all components are placed andconnected as described for the embodiment shown in FIG. 16 , but analogauthentication differs as follows. Instead of a digital response beingsent from the supply security device 60 b to the system security device60 a over the serial interface, an analog response is sent over theconnection between the GPO unit 285 of the supply security device 60 band the GPI unit 280 of the system security device 60 a using VLT 300.In this configuration, the multi-level analog signal at the output ofVLT 300 between GPO 285 of system security device 60 a and GPI 280 ofsupply security device 60 b is used as the analog authenticationchallenge, while the multi-level analog signal at the output of VLT 300between GPO 285 of supply security device 60 b and GPI 280 of systemsecurity device 60 a is used as the analog response. In one example, theanalog response may be serially shifted across the GPO 285 of supplysecurity device 60 a to the GPI 280 of system security device 60 a usingVLT 300. This results in an analog signal loop where the challenge issent from the GPO unit 285 of the system security device 60 a connectedto the GPI unit 280 of the supply security device 60 b, and the responseis sent from the GPO unit 285 of the supply security device 60 bconnected to the GPI unit 280 of the system security device 60 a.

Analog authentication consists of the host SoC 70 commanding, forexample, the system security device 60 a to generate an authenticationchallenge consisting of an analog signal that may vary in amplitude,frequency, and/or duration. Firmware on the system security device 60 agenerates the authentication challenge using parameters stored in theNVM to configure VLT 300 to set the amplitude of the analog signal andto set the frequency and duration of the analog signal using a patterngenerator (any combination of hardware and firmware) to control the GPOunit 285 and VLT 300 to output a first analog signal that is connectedto the GPI unit 280 of the supply security device 60 b. Firmware on thesupply security device 60 b generates a first response using parametersstored in the NVM to define a first measurement interval and toconfigure the GPI unit 280 to convert the analog signal at its inputinto one or more digital values during the first measurement interval. Aderivative of the digital values is captured as the first response.

The firmware on the supply security device 60 b generates an analogsignal using the first response and parameters stored in the NVM toconfigure VLT 300 to set the amplitude of the analog signal and to setthe frequency and duration of the analog signal using a patterngenerator (any combination of hardware and firmware) to control the GPOunit 285 and VLT 300 to output a second analog signal that is connectedto the GPI unit 280 of the system security device 60 a. The firmware onthe system security device 60 a generates a second response usingparameters stored in the NVM to define a second measurement interval andto configure the GPI unit 280 to convert the second analog signal at itsinput into one or more digital values during the second measurementinterval. A derivative of the digital values is captured as the secondresponse.

The second response is verified by the system security device 60 a (orsent to the SoC 70 to verify) as previously described, and the result iscommunicated over the serial interface to the SoC 70 for further action.

GPO-GPI Self-Authentication (Authentication Challenge Sent Over InternalGPO-GPI Interface, Result Sent Over Serial Interface)

In the embodiment shown in FIG. 18 , all components are placed andconnected as described for the embodiment shown in FIG. 16 , but analogauthentication differs as follows. Instead of the analog signal beinggenerated and sent by one security device 60 to another security device60 over the external analog connection (GPO-to-GPI), the analog signalis generated and sent by a security device 60 to itself over an internalanalog connection (GPO-to-GPI). In this embodiment, the internal analogsignal may be driven from the GPO and received by the GPI over anysuitable internal analog connection. In one example, a security device60 generates an authentication challenge, using any of the methodspreviously described, and sends the challenge (e.g., a random serialpattern) to itself by serially shifting it across the internalconnection of GPO 285 to GPI 280 of security device 60 where it iscaptured as an actual response by the same security device 60. The samesecurity device 60, then compares the response to the expected response(e.g., equivalent to the challenge or to a calculated derivate of thechallenge) and a determination is made whether the security device 60 isauthentic or non-authentic using any of the challenge/responseverification methods previously described. This enables a securitydevice 60 to self-authenticate itself and communicate the result overthe serial interface.

Analog authentication begins with the host SoC 70 commanding, forexample, the system security device 60 a to self-authenticate itself andto command a supply security device 60 b to self-authenticate itself.The supply security device 60 b internally connects the output of itsGPO unit 285 to the input of its GPI unit 280 and disconnect them fromtheir external connections. The supply security device 60 b thengenerates a random challenge, generate a response, and verify theresponse as previously described to self-determine its authenticity. Thesupply security device 60 b communicates the result of the of theself-authentication to the system security device 60 a over the serialinterface and the system security device 60 a communicates the resultsof the self-authentication over the serial interface to the SoC 70 forfurther action.

The description of the details of the above example embodiments havebeen described in the context of using wired communication. In a furtherembodiment, security devices 60 may be connected by wireless technologyto transmit and receive challenge and response signals by antenna toimplement the authentication methods disclosed herein. In thisembodiment, a security device 60 on controller 40 and a security device60 on a supply item 55 may communicate with each other wirelessly. Asecurity device 60 on a supply item 55 and another security device 60 onanother supply item 55 may also communicate with each other wirelessly.In a still further embodiment, a security device 60 may generate anauthentication challenge consisting of a random AC signal generated byan amplifier circuit. The AC signal may be random in amplitude andfrequency and sent to another security device 60 to be authenticated,where it is received and rectified into a DC signal by a rectifiercircuit and then converted from an analog voltage into one or moredigital values, as previously described, and finally used as theresponse to the challenge. The security device 60 may then beauthenticated by using any of the verification methods disclosed herein.

With the above example embodiments, systems and methods have beendisclosed to authenticate security devices that use analog circuits togenerate an analog challenge, generate a digital response, and use anauthentication algorithm and a predetermined threshold to performone-way, mutual, or self-authentication using multiple integratedcircuit devices on a controller or on a supply item. It should beunderstood that many different combinations of these parameters,signals, algorithms, thresholds, protocols, devices, locations, andconnections, each with unique characteristics, may be used to implementthe concepts disclosed herein and all combinations of these componentsare considered embodiments of this invention.

The foregoing illustrates various aspects of the invention. It is notintended to be exhaustive. Rather, it is chosen to provide the best modeof the principles of operation and practical application known to theinventors so one skilled in the art can practice it without undueexperimentation. All modifications and variations are contemplatedwithin the scope of the invention as determined by the appended claims.Relatively apparent modifications include combining one or more featuresof one embodiment with those of another embodiment.

1. In an imaging system having an imaging device and a supply item, eachwith a security device chip and having access to memory, a method ofdetermining authenticity of the supply item installed and connected tothe imaging device, comprising: generating in the imaging device ananalog signal as an authentication challenge to the supply item;transmitting the analog signal from the imaging device to the supplyitem; receiving the analog signal at the supply item; generating by thesupply item a response to the analog signal by converting the analogsignal into one or more digital values; deriving by the supply item anarithmetic or logical derivative of the one or more digital values;transmitting the response from the supply item to the imaging device;receiving the response at the imaging device; and comparing at theimaging device the response with an expected response stored in thememory of the imaging device to determine authenticity of the supplyitem.
 2. The method of claim 1, wherein the generating the analog signalincludes generating a random analog signal.
 3. The method of claim 2,wherein the generating the random analog signal includes generating asignal that is random in at least one of amplitude, frequency, andduration.
 4. The method of claim 1, further comprising providing a tonercartridge as the supply item.
 5. The method of claim 4, furtherincluding providing the security device chip of the toner cartridge withfirst and second analog circuits.
 6. The method of claim 1, furtherincluding providing the security device chip of the imaging device withfirst and second analog circuits.
 7. The method of claim 1, wherein thetransmitting and receiving occur over a shared bus between the securitydevice chips of the imaging device and the supply item.
 8. The method ofclaim 7, further including configuring the shared bus as a two-wireserial bus with one wire of the two-wire serial bus carrying databetween the security device chips of the imaging device and the supplyitem and the other wire of the two-wire serial bus carrying a clocksignal between the security device chips of the imaging device and thesupply item.
 9. The method of claim 1, further including a second supplyitem in the imaging device, the second supply item also having asecurity device chip in communication with the security device chips ofthe imaging device and the supply item.
 10. The method of claim 9,further including transmitting the analog signal to the security devicechip of the second supply item from either the imaging device or thesupply item and receiving the analog signal that the security devicechip of the second supply item.
 11. The method of claim 10, furtherincluding generating by the security device chip of the second supplyitem a second response to the analog signal by converting the analogsignal into one or more additional digital values and capturing aderivative of the one or more additional digital values.
 12. The methodof claim 11, further including transmitting the derivative from thesecurity device chip of the second supply item to said either theimaging device or the supply item from whence the analog signal was saidtransmitted.
 13. The method of claim 12, further including receiving thederivative at said either the imaging device or the supply item andcomparing at said either the imaging device or supply item thederivative with a second expected response stored in the memory of thesaid either the imaging device of the supply item to determineauthenticity of the second supply item.
 14. The method of claim 1,wherein the comparing the response with the expected response includesusing a statistical correlation between the response and the expectedresponse.
 15. In an imaging system having an imaging device and a supplyitem, each with a security device chip having first and second analogcircuits and available memory, a method of determining authenticity ofthe supply item installed in the imaging device and having the securitydevice chips of the imaging device and the supply item connected to oneanother, comprising by either of the security device chips of theimaging device or supply item, generating one or more random numbers;identifying one or more parameters stored in the memory based on the oneor more random numbers; and by one of the analog circuits of said eitherof the security device chips of the imaging device or supply item,generating a random analog signal based on the one or more parametersand using the random analog signal as an authentication challenge to theother of said either of the security device chips of the imaging deviceor supply item.
 16. The method of claim 15, wherein the generating therandom analog signal includes generating a signal that is random in atleast one of amplitude, frequency, and duration.
 17. The method of claim16, further including transmitting over a shared bus between thesecurity device chips of the imaging device and the supply item theauthentication challenge from said either of the security device chipsof the imaging device or the supply item to said other of said either ofthe security device chips of the imaging device or supply item.
 18. Themethod of claim 17, by the security device chip of said other of saideither of the security device chips of the imaging device or supplyitem, receiving the authentication challenge and by another of theanalog circuits generating one or more digital values based on therandom analog signal and capturing a derivative.
 19. The method of claim18, further including providing a response based on the capturedderivative and authenticating the security device chip of the supplyitem based on the response.
 20. The method of claim 18, wherein at leastone of the analog circuits of both of the security device chips of theimaging device and supply item are operative to generate digital valuesfrom the random analog signal during a measurement interval beginningwith a programmable start condition of said either of the securitydevice chips.